SAS112 Implementation
UCSD Status Update
UCSD Office of the Controller
1
SAS112 Refresher



Communication to the Governing
Board of Internal Control Related
Matters Noted in an Audit.
Significantly “lowers the bar” as to
what is required to be reported.
Is effective for universities for the
current fiscal year that began June
30, 2006.
UCSD Office of the Controller
2
SAS112 Levels of Reporting



A control deficiency exists when the design or
operation of a control does not allow for the prevention
or detection of misstatements in a timely manner.
A significant deficiency is a control deficiency that
adversely affects our ability to initiate, authorize,
record, process, or report external financial data
reliably in accordance with GAAP such that there is
more than a remote likelihood that a misstatement
of our financial statements that is more than
inconsequential will not be prevented or detected.
A material weakness is a significant deficiency that
results in more than a remote likelihood that a
material misstatement of our financial statements
will not be prevented or detected.
UCSD Office of the Controller
3
SAS112 Reporting Triggers
for UCSD



A significant deficiency is triggered
for the campus if the misstatement
“could be” $2.9 million.(0.2% of Oper. Exp.)
A material weakness is triggered for
the campus if the misstatement
“could be” $14.7 million.(1% of Oper. Exp.)
Certain conditions defined are
“presumptive” of the above.
UCSD Office of the Controller
4
SAS112 Presumed Significant
Deficiencies or Material Weaknesses






Ineffective governance or ineffective oversight
of internal control.
Material misstatement of the financial
statement discovered by the auditor during the
annual audit.
Ineffective internal audit or risk assessment
function.
Ineffective regulatory compliance function.
Identification of any fraud on the part of senior
management.
Failure by management to assess a significant
deficiency that has been communicated to
them, and failure to correct such deficiency.
UCSD Office of the Controller
5
Requirements for Key
Controls Under SAS 112



A key control must exist.
A key control must be functioning
effectively.
A key control must be documented.
UCSD Office of the Controller
6
Why is a Reportable Condition
Under SAS112 Likely at UCSD?





Similar requirements in the corporate world
resulted in an initial high percentage of
reportable matters.
UCSD’s control environment is highly
decentralized.
SAS112 has already been in effect for UCSD
for 8 months.
All requirements of a key control will be
difficult to meet initially.
We are trying to do this with existing
resources. Corporations spent millions.
UCSD Office of the Controller
7
Strategies in Response
to SAS112

Identify Key Controls



Non-IT controls have been identified
and confirmed.
IT controls in process.
Assess Key Controls


Beginning with core business functions.
Working on improving systems for
overall mitigating controls.
UCSD Office of the Controller
8
Strategies in Response
to SAS112

Assess Presumptive Conditions


Make Necessary Changes in Response
to Assessments


Evaluation in progress.
Will proceed as assessments are
completed.
Communicate Widely Regarding
Control Responsibilities


Working with VC offices to establish
contact with leaders in various areas.
Presenting to all business officer forums.
UCSD Office of the Controller
9
Principles of Good Internal Control




Internal Control is the responsibility of
EVERYONE.
Control is a person at the source,
knowing the right thing to do, and
DOING IT.
If you are relying on someone else to
be the “bad guy”, we have lost control.
Accountability is essential if we are all
going to do the right thing every time.
UCSD Office of the Controller
10